S3secret Scanner is a tool that helps to protect Amazon S3 Security Best Practices. It actively hunts for secrets within public S3 buckets.
This task can be performed as a scheduled task, or on-demand.
Automation Workflow
These are the actions that will be performed by automation:
In the Account, list the public buckets (Set the ACL for Public or the objects may be public).
List sensitive or textual files (i.e. List the textual or sensitive files (i.e.
Once you are done with the evaluation, download, scan and then delete all files.
Log files will contain the logs.
Prerequisites
- Python 3.6 and above
- TruffleHog3 is now available in $PATH
- AWS roles with these permissions
"Version": "2012-10-17", "Statement": [ "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:GetLifecycleConfiguration", "s3:GetBucketTagging", "s3:ListBucket", "s3:GetAccelerateConfiguration", "s3:GetBucketPolicy", "s3:GetBucketPublicAccessBlock", "s3:GetBucketPolicyStatus", "s3:GetBucketAcl", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*" , "Sid": "VisualEditor1", "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" ]
- Use a CSV file to save data.
Account name,Account id prod,123456789 ci,321654987 dev,148739578
Getting Started
To install your requirements, use .
Clone the repo Git clonerepo> Installing requirements Pip3 Install -r requirements.txt Install trufflehog3 Pip3 Install trufflehog3
Use
| Argument | Valuations | Description | Requirements |
|---|---|---|---|
| -p, -aws_profile | Access keys are available by using the profile name aws | ||
| -r, -scanner_role | Name of the role of the aws scanner | ||
| -m, -method | Internal | The scan type | |
| -l, -last_modified | 1-365 | The number of days it took to scan the file since its last modification; default – 1. |
